Backed by a consortium of high-tech heavyweights, legislation introduced
today seeks a compromise between law enforcement officials and the software
industry in the debate over federal export controls on strong encryption, technology that secures electronic communication.

As reported earlier,
Sen. John Ashcroft
(R-Missouri) and Sen. Patrick
Leahy's (D-Vermont) so-called E-Privacy Act would relax the Clinton
administration's rules that limit the export of strong encryption products
and requires that products shipped overseas eventually support key-recovery
systems. Key recovery gives law enforcement officials who have obtained a court
order a "spare key" to unlock the codes that secure email or computer files.

But in return for lifting some export regulations, the bill
also carves out some concessions for law enforcement officers, who say encryption helps high-tech criminals cover their tracks. For example, it would be illegal to encrypt "incriminating" documents.

Software industry trade groups have long opposed the key-recovery mandate on grounds
that it inhibits the ability of U.S. companies to compete against foreign competitors that are unrestricted--although some in the industry favor voluntary recovery schemes.

Drafted in part by the Americans
for Computer Privacy, the E-Privacy Act would lift the crypto export
regulations for products that generally are available on the international
market. The bill also would prohibit the government from mandating within those
products key-recovery systems or key escrow, in which copies of people's
private crypto keys are stored with licensed third parties or the
government.

Moreover, the right to use or sell encryption products of any strength would be
secured for people in the United States. But "exports to certain unfriendly
nations such as North Korea, Iraq, or Libya are absolutely prohibited," the
bill states.

However, before being cleared for export, all encryption products would have to
submit to a one-time technical review by the Commerce Department. Furthermore, a joint
government-industry board could be established under the bill to determine
when foreign suppliers plan to release encryption products
that are stronger than U.S. technology.

"There's been a push for legislation which would require individuals to
hand over the 'keys' to their private computer files," Ashcroft said in a
statement today. "Innocent citizens are expected to trust the
bureaucracy not to abuse their personal information, in spite of actions to
the contrary by agencies such as the IRS and the FBI. The E-Privacy Act
addresses these concerns by balancing privacy rights with legitimate
concerns of law enforcement."

In addition, the bill would ban legislative efforts to connect encryption
export relief with other security technologies, such as digital
certificates or signatures. At least one proposal floated in Congress last year attempted to link
domestic key-recovery mandates with the licensing of digital certificate
authorities. Digital certificates establish and verify the identity of
senders of encrypted communication such as financial transactions, and are
touted as a critical element in the success of e-commerce.

"Under current law, data stored on computer networks outside of a person's
possession may receive limited privacy protections. This data may be
accessible to government officials without the owner's knowledge and
without supervision by the courts," stated the Center for Democracy and Technology's (CDT)
analysis of the bill. "The E-Privacy Act would create new standards
protecting networked data as if it
were stored in an individual's possession. The act would require a court
order based upon probable cause, or a subpoena that the information's owner
has a meaningful opportunity to challenge."

But the Ashcroft-Leahy bill also makes room for the concerns of law enforcement officers who are worried that strong encryption aids criminals.

For example, the proposal would make it a felony to use encryption to "conceal incriminating communications or
information about a crime."

Also, a National Electronic
Technology (NET) Center would be set up to bring together encryption makers
and nationwide investigators who need assistance in decrypting messages to
bust suspected criminals. To break a code, investigators would
have to get the same federal court clearance necessary to conduct a wiretap. In some cases, such as getting the keys from a third party, law
enforcement could simply obtain a subpoena, however.

Both provisions concern civil liberties groups, but the industry is hopeful
that the E-Privacy Act will be the encryption debate compromise embraced by
Congress, the president, and the FBI, because other export
relief bills have never been cleared.

The Clinton administration's position on export limits has constantly
shifted with the tide--from mandating key-recovery in 1996 to last month's
admission by a high official that the policy is a failure.

"We strongly support the Ashcroft-Leahy bill. When I look at this bill and
compare it against what the administration's position has been, I can't find
any reason why it would not support this bill," said Lauren Hall, chief
technologist for the Software Publishers
Association.

"This bill is a good step forward," she added. "It allows the export of
encryption products to foreign market segments where similar products
already exist. Law enforcement always has argued that export controls
prevent encryption from falling into the wrong hands, but in those market
segments those arguments are invalid."

"It may, for instance, be the case that a typewritten ransom note poses a
more difficult challenge for forensic investigators than a handwritten
note. But it would be a mistake to criminalize the use of a typewriter
simply because it could make it more difficult to investigate crime in some
circumstances," stated EPIC's analysis of the bill.

"If the concern is that encryption techniques may be used to
obstruct access to evidence relevant to criminal investigations, we submit that the better approach may be to rely on other provisions in
the federal and state criminal codes," EPIC added.

EPIC and the CDT also discouraged the creation of the NET Center.

"The NET Center proposal, if approved, would constitute a fundamental
redefinition of the relationship between intelligence agencies and
domestic law enforcement," EPIC stated. "Such an approach would ignore
50 years of experience and would pose a serious threat to the privacy and
constitutional rights of Americans."

In the coming months these privacy concerns probably will be weighed, but
it is unlikely that law enforcement will easily give up its two prominent
allowances under the E-Privacy Act. Since the battle over the encryption
regulations has raged for more than three years, many say the E-Privacy Act is the
best fix.

"If anyone is looking for the compromise to resolve this difficult but
important issue, this is it," Sen. Conrad Burns (R-Montana), who
introduced the now-defunct Pro-Code encryption
export relief bill, said in a statement.

"It is time to move the debate forward," Burns added. "When our
high-technology sector gets the sniffles, the world comes down with the
flu. Our policies should contribute to the cure, not exacerbate the
illness."